Snort mailing list archives
Re: lots of alerts on so rule "possible DGA detected"
From: <kestutis.malakauskas () barclays com>
Date: Tue, 25 Nov 2014 09:52:39 +0000
Hello, The same here we do see lots of (FP) hits. Doesn’t seem this SIG to be very useful at this point. Kestutis Kestutis Malakauskas | Lead Attack Monitoring Analyst | Global Information Security | Security Operations Tel +370 5 251 1847 | Mobile +370 652 89466 | Email kestutis.malakauskas () barclays com<mailto:kestutis.malakauskas () barclays com> Barclays , 8th Floor | Balčikonio str. 7 | Vilnius | Lithuania GMT+2 Barclays.com Hotline: +370 520 62424 P Please consider the environment before printing this email From: Ronny Vaningh [mailto:ronny () guard-it be] Sent: 25 November 2014 09:56 To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] lots of alerts on so rule "possible DGA detected" Hi I'm seeing a lot of alerts on an SO rule that looks for DGA's. alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected"; sid:31738; gid:3; rev:1; classtype:trojan-activity; metadata: engine shared, soid 3|31738, service dns;) It seems to trigger on dns requests that are appending search domains like First the host does a request for myserverhostname001.subdomain.domain.com<http://myserverhostname001.subdomain.domain.com> After receiving a NXDOMAIN it appends a search domain suffix and generates a request like myserverhostname543.subdomain.domain.com.searchdomain.com<http://myserverhostname543.subdomain.domain.com.searchdomain.com> Does anyone knows what this SO rule is actually looking for and is there any way I can influence this, since it looks pretty useful so I want to avoid disabling it. Regards Ronny This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of alerts on so rule "possible DGA detected" Ronny Vaningh (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" kestutis.malakauskas (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" Alex McDonnell (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" Patrick Mullen (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" C. L. Martinez (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" waldo kitty (Nov 25)
- Re: lots of alerts on so rule "possible DGA detected" kestutis.malakauskas (Nov 25)